// Trust & Security Report

    FrontApp, Inc. logo

    FrontApp, Inc.

    AI-powered customer service and shared inbox platform

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 listed under Compliance on trust.front.com; downloadable resource: Engagement letter_FrontApp, Inc. SOC 2 .pdf

    Verify on trust.front.com
    ISO 27001:2013
    HELD

    ISO 27001:2013 listed under Compliance on trust.front.com; downloadable resource: ISO 27001 Certificate 8/2024 - 8/2027

    Verify on trust.front.com
    ISO 27001:2022
    HELD

    ISO 27001:2022 listed as a separate Compliance item on trust.front.com, shown alongside ISO 27001:2013

    Verify on trust.front.com
    GDPR
    HELD

    GDPR listed as COMPLIANT on trust.front.com; DPA effective February 1, 2024 incorporates Module 2 SCCs (Controller to Processor) governed by Irish law for EU transfers; UK Transfer Addendum and Swiss FADP adaptation also documented

    Verify on front.com
    CCPA
    HELD

    CCPA COMPLIANT listed under Compliance on trust.front.com; privacy notice addresses California consumer rights

    Verify on trust.front.com
    HIPAA
    HELD

    HIPAA listed on trust.front.com with FAQ for HIPAA.pdf available; BAAs offered to qualifying customers: 'Front reserves the right to enter into BAAs for Customers whose annual contract price with Front meets a certain threshold.' AI features (Autopilot, Copilot, AI Answers, Live Chat/Chatbots) are explicitly excluded from HIPAA coverage.

    Verify on front.com
    PCI DSS
    HELD

    Front PCI SAQ A Compliance listed under resources on trust.front.com. SAQ A is the self-assessment questionnaire for merchants that outsource all cardholder data functions, not a full PCI DSS certification by a QSA.

    Verify on trust.front.com
    > Show 6 unconfirmed / not-held certifications
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on trust.front.com, front.com/security, or front.com/legal pages.

    source: trust.front.com
    ISO 27017
    NOT CONFIRMED

    No public evidence of ISO 27017 certification found on trust.front.com or any Front-domain pages.

    source: trust.front.com
    ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found on trust.front.com or any Front-domain pages.

    source: trust.front.com
    ISO 27701
    NOT CONFIRMED

    No public evidence of ISO 27701 certification found on trust.front.com or any Front-domain pages.

    source: trust.front.com
    ISO 42001 (AI Management)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification found on trust.front.com or any Front-domain pages.

    source: trust.front.com
    CSA STAR
    NOT CONFIRMED

    CAIQ document is listed in trust.front.com resources (indicating the questionnaire was completed), but no CSA STAR Level 1 or Level 2 certification listing was found.

    source: trust.front.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primarily United States (AWS infrastructure). EU data transfer mechanisms in place via SCCs and UK/Swiss addenda. EU regional hosting mentioned on security page but no contractually guaranteed EU-only residency in the DPA.

    Supplemental Terms explicitly state: 'Front prohibits Subprocessors to use Customer Data to train foundation models.' AI subprocessors are OpenAI, Microsoft, and AWS. However, the SaaS Services Agreement (Section 4.3) reserves Front's right to use customer data 'to provide and improve the Services,' and the trial/beta carve-out in Section 12 permits expanded data collection for service improvement 'irrespective of whether Customer had opted-out.' Foundation model training is clearly prohibited; broader service-improvement usage is permitted and not opt-out-able in trials.

    // Security controls

    Encryption in transit

    TLS 1.2

    front.com

    Encryption at rest

    AES-256

    front.com

    Infrastructure

    Amazon Web Services (AWS), multi-availability-zone deployment with daily backups and automatic scaling

    front.com

    Penetration testing

    Annual independent third-party penetration tests; 2025 and 2026 results listed on trust.front.com

    trust.front.com

    Bug bounty

    HackerOne-managed bug bounty program

    front.com

    Authentication

    Two-factor authentication (2FA), SAML-based SSO, OAuth for Office 365 and Gmail

    front.com

    Email security

    SPF, DKIM, and DMARC record support

    front.com

    Continuity and disaster recovery

    DR plans established and tested (listed as trust center controls)

    trust.front.com

    Cybersecurity insurance

    Maintained; Certificate of Insurance available via trust.front.com

    trust.front.com

    Subprocessors

    Listed at https://front.com/legal/list-of-subprocessors; 30-day notice required before new subprocessors added, with customer objection rights

    front.com

    // Products & data scope

    Front (core platform)Customer service / shared inbox / help desk

    data: Customer emails, conversations, contact data, team collaboration content, attachments

    SOC 2 Type II and ISO 27001:2022 apply. HIPAA BAA available for eligible customers (minimum annual contract value required). GDPR covered by DPA with SCCs.

    Front AI (Autopilot, Copilot, Smart QA, Smart CSAT)AI customer service automation and quality assurance

    data: Customer conversation content processed by OpenAI, Microsoft, AWS subprocessors

    AI subprocessors contractually prohibited from training foundation models on customer data. Autopilot and Copilot are explicitly excluded from HIPAA BAA coverage. No ISO 42001 certification. Outputs are 'computer-generated without human review by Front, and may be inaccurate, incomplete, and/or biased' per supplemental terms.

    Front Knowledge BaseSelf-service support content management

    data: Help articles and documentation; not covered under HIPAA BAA

    Excluded from HIPAA coverage. GDPR/SOC 2 protections apply.

    // What to watch

    • SOC 2 2025 audit was listed as 'in progress' as of September 24, 2025 on trust.front.com; bridge letter and engagement letter available but the formal Type II report for the period ending ~August 2025 may not be finalized yet.
    • HIPAA BAA requires an undisclosed minimum annual contract value — not available to all customers; AI features (Autopilot, Copilot, Live Chat, AI Answers, Knowledge Base) are explicitly excluded from HIPAA BAA scope.
    • PCI compliance is SAQ A self-assessment only (the lowest-tier questionnaire for merchants outsourcing all card data functions), not a full QSA-validated PCI DSS certification.
    • SaaS agreement Section 4.3 gives Front broad rights to use customer data 'to provide and improve the Services.' Trial/beta carve-out (Section 12) permits data use for service improvement irrespective of opt-out choices.
    • No ISO 27017, 27018, 27701, or ISO 42001 (AI Management System) certifications found despite active AI product suite with multiple AI subprocessors.
    • CAIQ completed (listed in trust center resources) but no CSA STAR Level 1 or Level 2 listing confirmed.
    • Default data residency is US; EU residency not contractually guaranteed in DPA despite SCCs being in place for cross-border transfer compliance.
    • AI output disclaimer in supplemental terms warns outputs may be 'inaccurate, incomplete, and/or biased' with no warranty from Front — relevant for regulated-industry customers.

    // At a glance

    Pricing model

    Subscription SaaS (per seat/month); enterprise tiers with annual contracts required for HIPAA BAA eligibility

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on FrontApp, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.front.com

    > Browse all vendor trust reports